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Abstract 

We introduce Priority Channel Systems, a new class of channel sys- 
tems where messages carry a numeric priority and where higher-priority 
messages can supersede lower-priority messages preceding them in the fifo 
communication buffers. The decidability of safety and inevitability prop- 
erties is shown via the introduction of a priority embedding, a well-quasi- 
ordering that has not previously been used in well-structured systems. 
We then show how Priority Channel Systems can compute Fast-Growing 
functions and prove that the aforementioned verification problems are 
F £o -complete. 



1 Introduction 

Channel systems are a family of distributed models where concurrent agents 
communicate via (usually unbounded) fifo communication buffers, called "chan- 
nels". These models are well-suited for the formal specification and algorith- 
mic analysis of communication protocols and concur rent programs (|Boigelot| 

~ Cece and Finkell |2005J>. 



and Godefroid 


1999 


Bouajjani and Habermehl 


1999 



They are also a fundamental model of computation, closely related to Post's tag 
systems. 

A particularly interesting class of channel systems are the so-called lossy 
channel systems (LCSs), where channels are unreliable and may lose mes- 
sages (Cece et al. 1996| Abdulla and Jonsson 1996 Bouyer et al. 2012). For 
LCSs, several important behavioral properties, like safety or inevitability, are 
decidable. This is because these systems are well-structured: transitions are 



monotonic wrt. a (decidable) well-quasi-ordering of the configuration space (Ab- 



dulla et al. 20001 Finkel and Schnoebelen 2001). Beyond their applications in 



verification, LCSs have turned out to be an important automata-theoretic tool 
for decidability or hardness in areas like Timed Automata, Metric Temporal 



Logic, modal logics, etc. ( 


Abdulla et al. 


2005 


Kurucz 


2006 


Worrell 


2007 


Lasota and Walukiewicz 


2008 


). They are also 



Ouaknine and 



model of computation capturing the -complexity level in Wainer et oZ.'s 



Fast-Growing Hierarchy, see (Chambart and Schnoebelen 2008 Schmitz and 



Schnoebelen] |2011| [2012 1. 

Despite their wide applicability, LCSs reveal shortcomings when applied to 
modeling systems or protocols that treat messages discriminatingly according 



'Work partially funded by the RcacHard project ANR 11 BS02 001 01. 
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to some specified rule set. An example is the prioritisation of messages, which 
is central to ensuring quality of service (QoS) properties in networking architec- 
tures, and is usually implemented by allowing for tagging messages with some 
relative priority. For instance, the Differentiated Services (DiffServ) architec- 
ture, described in RFC 2475, allows for a field specifying the relative priority 
of an IP packet with respect to a finite set of priorities, and network links may 
decide to arbitrarily drop IP packets of lower priority in favor of higher priority 
packets once the network congestion reaches a critical point. 



Our contributions In this paper, we introduce Priority Channel Systems, or 
PCSs for short, a family of channel systems where each message is equipped with 
a priority level, and where higher-priority messages can supersede lower-priority 
messages (that are dropped) . Our model abstracts from the contents of messages 
by just considering the priority levels (but see App. [D] for a generalization to 
infinite alphabets of message contents). We show that PCSs are well-structured 
when configurations are ordered by the (prioritized) superseding ordering, a new 



well-quasi-ordering that is closely related to the gap-embedding of ( Schutte and 
Simpson 1985). This entails the decidability of safety and termination (among 



other properties) for PCSs. 



Using techniques from (Schmitz and Schnoebelen 2011 Schutte and Simp- 



son 



1985 ), the proof that the superseding ordering is a well-quasi-ordering gives 



an F eo upper bound on the complexity of PCS verification, far higher than the 
-complete complexity of LCSs. 

In the second part of this paper, we prove a matching lower bound: building 



upon ideas and techniques developed for less powerful models (Chambart and 



Schnoebelen 2008 Schnoebelen 2010a Haddadetal. 2012 ), we show how PCSs 



can robustly simulate the computation of Fast Growing Functions F a (and their 
inverses) for all ordinals a up to e . 

Along the way we show how some other well-quasi-ordered data structures, 
e.g. trees with strong embedding, can be reflected in strings with priority or- 



dering, opening the way to 
verification. 



upper bounds in other areas of algorithmic 



2 Priority Channel Systems 

We define Priority Channel Systems as consisting of a single process since this 
is sufficient for our purposes in this paper^] 

For every deN, the level-d priority alphabet is = {0, 1, . . . , d}. A level-d 
priority channel system (a "d-PCS") is a tuple S = (E^, Ch, Q, A) where E^ is 
as above, Ch = {ci, . . . , c m } is a set of m channel names, Q = {qi, qi, . . .} is a 
finite set of control states, and A C Q x Ch x {!, ?} x E d x Q is a set of transition 
rules (see below). 

1 Obviously, systems that are more naturally seen as made up of several concurrent com- 
ponents can be represented by a single process obtained as an asynchronous product of the 
components. 
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c ! 1 

c ! C±(9)^ZI^(V)v> c ! 3 

c ? 3 

Figure 1: A simple single-channel 3-PCS. 
2.1 Semantics 

The operational semantics of a PCS S is given under the form of a transition 
system. We let Conf s = Q x (E d )™ be the set of all configurations of S, denoted 
C, D, . . . A configuration C — (q, Xi, . . . , x m ) records an instantaneous control 
point (a state in Q) and the contents of the m channels (sequences of messages 
from Erf). A sequence x £ E d has the form x = a\. . .at and we let £ = \x\. 
Concatenation is denoted multiplicatively, with e denoting the empty sequence. 

The labeled transition relation between configurations, denoted C A C , is 
generated by the rules in A = {Si, . . . , S^}. It is actually convenient to define 
three such transition relations, denoted — > ro i, — > w , and — respectively. 

Reliable Semantics We start with — !> rc i that corresponds to "reliable" steps, 
or more correctly steps with no superseding of lower-priority messages. As 
is standard, for a reading rule of the form d = (q, Cj, ?, a, q') € A, there is 

a step C A ro i C if C = (q, x\, . . . , x rn ) and C — (q', yx, . . . , y m ) for some 
Xi, yi, . . . , x m , y m such that Xi = ayi and Xj = yj for all j ^ i, while for a 

writing rule 5 — (q, Cj, !, a, q 1 ) £ A, there is a step C A rc i C if yi — x^a (and 
Xj — yj for all j ^ i). These "reliable" steps correspond to the behavior of 
queue automata, or (reliable) channel systems, a Turing-powerful computation 
model. 

Write-Superseding The actual behavior of PCSs, denoted — > w , is best de- 
fined as a modification of — >- rc i, and more precisely by modifying the semantics of 
writing rules. Formally, for 6 = (q, Cj, !, a, q') € A, and for C, C as above, there 

is a step C A w C" if yi — za for a factorization x, L — zz' of Xi where z' G £*, 
i.e., where z' only contains messages from the level-a priority subalphabet. In 
other words, after c^la, the channel will contain a sequence yt obtained from Xi 
by appending a in a way that may drop (erase) any number of suffix messages 
with priority < a, hence the u z' £ E*" requirement. (And Xj — yj for all j ^ i.) 

Reading steps are unchanged so that C A ro i C implies C A w C . This gives 
rise to a transition system 5 W = (Conf s , — > w ). 

For example, the PCS from |Figure l| has the following run: 

'1 '3 '3 '3 ? 3 

p, 0200 — !> w q, 021 -> w q, 03 -> w q, 033 — !> w q, 3 -^ w p, e 

where in every configuration we underline the messages that will be superseded 
in the next step (and where, for simplicity, we do not write the full rule S on 
the steps). Note that, as specified in the semantics, the first step could not be 

"(p, 0200) A- w (q, 21)": the written 1 is not allowed to supersede the higher- 
priority 2 hence it cannot supersede the that is earlier in the channel. 
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Internal-Superseding There is another semantics for priorities, obtained by 

extending reliable steps with internal superseding steps, denoted C c> C , 
which can be performed at any time in an uncontrolled manner. 

Formally, for two words x, y £ and k £ N, we write x ^-># y x is some 
a% . . . at, 1 < k < \x\ = £, cik < ak+i and y — a\ . . . a^^iak+i ■ ■ ■ In other 
words, the fc-th message in x is superseded by its immediate successor ak+i, with 

#fe 

the condition that is not of higher priority. We write x — y when x — y 
for some k, and use x <—# y when y — x. The transitive reflexive closure <— # 
is called the superseding ordering and is denoted by Put differently, — is 
a rewrite relation over Yj* d according to the rules {aa' — ?> a' | < a < a' < d}. 

This is extended to steps between configurations by C — (q, x\ , . . . , x m ) — — >^ 
C" = (<f, VXi ■ ■ ■ > Vm) ^ q = q' and x % yi (and Xj = yj for j ^ i). Further- 
more, every reliable step is a valid step: for any rule S, C A# C iff C A- re ] C, 
giving rise to a second transition system associated with 5*: S# = (Conf s , — >#). 
E.g., the PCS from Fig. [TJcan perform 

p, 0200 % # q, 02001 ^ # g, 0201 g, 201 ^ # q, 21 
while, as we noted earlier, (p, 0200) (q, 21). 



2.2 Relating the Superseding Semantics 

The Write-Superseding semantics adopts a localized viewpoint, where a single 
system or protocol manages several priority levels for its communication through 
a fifo channel that can be congested. 

The Internal-Superseding semantics allows superseding to occur at any time 
(not just when writing) and anywhere in the channel. It is appropriate when ab- 
stracting from situations where end-to-end communication actually goes through 
a series of consecutive relays, network switches and buffers, each of them possi- 
bly handling the incoming traffic with a Write-Superseding policy. 

When developing the formal theory of PCSs, S#, the Internal-Superseding 
semantics, is more liberal and harder to control than S w . It is also finer-grained 
than 5 W (superseding occurs one message at a time) but this is less significant. 

The consequence is that, in practice, it is usually easier to design a correct 
PCS (and proving its correctness) when one assumes the Write-Superseding 
semantics — as we do in | Sect ion 6j — , while it is easier to develop the formal theory 
of PCSs with the Internal-Superseding semantics — as we do next. However, the 
two semantics are, in a sense, equivalent since S# and S w simulate one another: 

Proposition 1 (See App. |A]). Let Co — (<?,£,..., e) be a configuration with 
empty channels, and C f be any configuration. Then Cq — > w Cf if, and only if, 
c a ^# C f . 

We conclude this discussion by observing that PCSs can simulate lossy chan- 
nel systems (in fact they can simulate the dynamic lossy channel systems and 



the timed lossy channel systems of (Abdulla et al. 20121, see App. |Bj). Hence 
reachability and termination (see Thm. |2| are at least F^-hard for PCSs, and 



problems like boundedness or repeated control-state reachability (see (Schnoe- 



belen 2010b) for more) are undecidable for them. 
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Remark 1 (A stricter policy?). It is possible to define a stricter policy for prior- 
ities where a higher-priority message may only supersede messages with strictly 

lower priority. Write x — >> V when x ^H>-# y and x = a\ . . . at has at < a-k+i- 
This semantics is natural in some situations but the resulting model is Turing- 
powerful (see App. [b]) and not amenable to the wqo-based algorithmic tech- 
niques we develop for PCSs. 



2.3 Priority Channel Systems are Well-Structured 

Our main result regarding the verification of PCSs is that they are well-structured 
systems. Recall that C <# D 4^ C is some (p, y\, . . . , y m ) and D is (p, Xi, . . . , x m ) 
with Xi yi for i = 1, . . . , m, or equivalently, C can be obtained from D by 
internal superseding steps. 

Theorem 1 (PCSs are WSTSs). For any PCS S, the transition system S# 
with configurations ordered by <# is a well-structured transition system (with 
stuttering compatibility). 

Proof. There are two conditions to check: 

1. wqo: (Conf s ,<#) is a well-quasi-ordering as will be shown next (see 



Thm. 3 in Section 3 ) 



monotonicity: Checking stuttering compatibility (see (Finkel and Sch 



noebelen 2001 def. 4.4)) is trivial with the <# ordering. Indeed, assume 
that C <# D and that C — C is a step from the "smaller" configu- 
ration. Then in particular D A# C by definition of — so that clearly 
D A # C and D can simulate any step from C. □ 

Observe that it would not be so easy to prove well-structuredness for S w (to 
begin with, another ordering would be required). 

A consequence of the well-structuredness of PCSs is the decidability of sev- 
eral natural verification problems. In this paper we focus on "Reachability'!^] 
(given a PCS, an initial configuration Co, and a set of configurations G C Conf s , 
does Co A# D for some D £ G?), and "Inevitability" (do all maximal runs from 
Co eventually visit G?) which includes "Termination" as a special case. 

Theorem 2 (Verifying PCSs). Reachability and Inevitability are decidable for 
PCSs with Internal-Superseding semantics. 



Proof (Sketch). The generic WSTS algorithms (Finkel and Schnoebelen 2001) 



apply after we check the minimal effectivity requirements: the ordering <# be- 



tween configurations is decidable (even in NLogSpace, see Section 3.2 ) and the 
operational semantics is finitely branching and effective (one can compute the 
immediate successors of a configuration, and the minimal immediate predeces- 
sors of an upward-closed set). 

We note that Reachability and Coverability coincide (even for zero-length 

runs when Co has empty channels) since coincides with o — and 
that the answer to a Reachability question only depends on the (finitely many) 



2 Also called "Safety" when we want to check that G is not reachable. 
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minimal elements of G. One can even compute Pre*(G) for G given, e.g., as a 
regular subset of Conf s . 



For Inevitability, the algorithms in (Abdulla et al. 2000 Finkel and Sch 



noebelen 



2001) assume that G is downward-closed but, in our case where — ># 



and o coincide, decidability can be shown for arbitrary (recursive) G, 
as in ( |Schnoebelenj |2010b[ Thm. 4.4). □ 

Remark 2. With Prop, [I] and standard coding tricks, |Thm. 2] directly pro- 
vides decidability for Reachability and Termination when one assumes Writc- 
Superseding semantics. 



3 Priority Embedding 

This section focuses on the superseding ordering on words and establishes 
the fundamental properties we use for reasoning about PCSs. Recall that 
= <— the reflexive transitive closure of the inverse of — we prove 
that (£*,<#) is a well-quasi-ordering (a wqo). Recall that a quasi-ordering 
(X, =4) is a wqo if any infinite sequence xq, x\, x 2 , . . . over X contains an infinite 
increasing subsequence Xi =4 &% x %i 2 =?> " • • 

3.1 Embedding with Priorities 

For two words x, y G EJ, we ^ x —p V ^ x = a i ' ' ' a t ano - V can be factored as 
y = z\a\Z2ai ■ ■ ■ zgag with Zi G £*. for i = 1, . . . ,£. For example, 201 C p 22011 
but 120 g p 10210 (factoring 10210 as z 1 lz 2 2z 3 needs z 3 = 1 £ EJ). If x C p y 
then a: is a subword of y and a: can be obtained from y by removing factors of 
messages with priority not above the first preserved message to the right of the 
factor. In particular, x E p y implies y — x, i.e., x <# y. 
The definition immediately yields: 

e C p y iff y = e , (1) 
£i 2/1 and x 2 C p y 2 imply x^ 2 C p yiy 2 , (2) 
x\x 2 C p y imply 3y x □p xi : 3y 2 3 P x 2 : y = y x y 2 . (3) 

Lemma 1. (E^, C p ) is a quasi- ordering (i.e., is reflexive and transitive). 

Proof. Reflexivity is obvious from the definition. For transitivity, consider x' C p 
x E P y with a; = ai • • • at and y = Z\a\ ■ ■ ■ zgag. In view of Eqs. ([l[j3]) it is enough 
to show x 1 C p y in the case where \x'\ — 1. Consider then x' = a. Now a:' C p a; 
implies a — and a > a iy hence E*. C £*, for all i = 1, Letting 

z = Z\<X\ ■ ■ ■ Zf^iag-izg yields y = za for z G E*. Hence x' C p z. □ 

We can now relate superseding and priority orderings with: 
Proposition 2. For all x,y G EJ, x C p y z/f x <# y. 

Proof. Obviously, y — x allows x C p y with being the superseded message 
(and Zi — e for i ^ k), so that is included in C p by Lem. [TJ In the other 
direction x C p y entails x <# y as noted earlier. □ 
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3.2 Canonical Factorizations and Well-quasi-ordering 



For our next development, we define the height, written h(x), of a sequence 
x G EJ as being the highest priority occurring in x (by convention, we let 

h(e) = -1). Thus, x G E£ iff h > h(x). (We further let E_i = 0.) Any 
leEJ has a unique canonical factorization x = x§hx\h ■ ■ ■ x k -ihxk where k is 
the number of occurrences of ft, = h(x) in x and where the k + 1 residuals xq, 
xi,. . . ,x k are in S,*_ r 

The point of this decomposition is the following sufficient condition for x Ep 

V- 

Lemma 2. Let x = x$h ■ ■ ■ hx k and y — y$h ■ ■ ■ hy m be canonical factorizations 
with h = h(x) — h(y). If there is a sequence = Jo < ji < 32 < • • • < jft-i < 
j/j = m of indexes s.t. Xi Ep yj i for all i = 0, . . . ,k then x Ep y. 

Proof. We show x <# y. Note that hyih A# h for all i = 1, . . . , m, so y — »■# 
2/ = Vjo^Vh^Vh ' ' ' (recall that = jo and m = jfe). From a;, Ep yj. we 
deduce A# x$ for alH = 0, . . . , k, hence y' —># Xoh ■ ■ ■ hxk = x. □ 

The condition in the statement of Lemma[2]is usually written (xo, . . . , Xk) ;<* 
(yo, . . . , y m ), using the sequence extension of Ep on sequences of residuals. 

Theorem 3. (E 5, Ep) is a well-quasi-ordering (a wqo). 

Proof. By induction on d. The base case d = — 1 is trivial since El x is 0* = {e}, 
a singleton. For the induction step, consider an infinite sequence Xo,x±,... 
over E^. We can extract an infinite subsequence, where all x^s have the same 
height h (since h(xi) is in a finite set) and, since the residuals are in EJ_ 1; 
a wqo by ind. hyp., further extract an infinite subsequence where the first 
and the last residuals are increasing, i.e., £i ,o Ep 2^1,0 Ep ^i 2 .o Ep • • ■ an d 
x i ,k Ep XiiM Ep Xi 2 .k 2 Ep • • • • Now recall that, by Higman's Lemma, the se- 
quence extension ((EJ^)*, is a wqo since, by ind. hyp., (E^_ 1; Ep) is a wqo. 
We may thus further extract an infinite subsequence that is increasing for ^* 
on the residuals, i.e., with (x lo>0 ,x ioA , . . . ,x Huko ) (x lu0 ,x iul , . . . ,x nM ) 
(x i2> o,Xi 2l i, . . . ,Xi 2t k 2 ) ^* ••• With Lemma[2]we deduce x ia E P %i x E P %i 2 E P 
• • • . Hence (EJ, Ep) is a wqo. □ 

Remark 3. Thm. [3] and Pr op. [2] prove that <# is a wqo on configurations 



of PCSs, as we assumed in Section 2.3 There we also assumed that <# is 
decidable. We can now see that it is in NLogSpace, since, in view of Prop. U 
one can check whether x<#y by reading x and y simultaneously while guessing 
nondeterministically a factorization z\ai • • • ztat of y, and checking that Zj G 

E* 



4 Applications of Priority Embedding to Trees 

In this section we show how tree orderings can be reflected into sequences over 
a priority alphabet. This serves two purposes. First, it illustrates the "power" 
of priority embeddings, reproving that strong tree embeddings form a wqo as a 
byproduct. Second, the reflection defined will subsequently be used in |Scction 6| 
to provide an encoding of ordinals that PCSs can manipulate "robustly." 
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4.1 Encoding Bounded Depth Trees 

Given an alphabet T, the set of finite, ordered, unranked labeled trees (aka 
variadic terms) over V, noted T(T), is the smallest set such that, if / is in T 
and ti, . . . , t n are n > trees in T(T), then the tree f(ti ■ ■ ■ t n ) is in T(T). A 
context C is defined as usual as a tree with a single occurrence of a leaf labeled 
by a distinguished variable x. Given a context C and a tree t, we can form a 
tree C[t] by plugging t instead of that x-labeled leaf. 

Let d be a depth in N and • be a node label. We consider the set T<j = Td({»}) 
of trees of depth at most d with • as single possible label; for instance, T = {•()} 
contains a single tree, and the two trees shown in |Figure 2| are in T 2 : 




Figure 2: Two trees in T%. 



It is a folklore result that one can encode bounded depth trees into finite 
sequences using canonical factorizations. Here we present a natural variant that 
is rather well-suited for our constructions in ISection "61 We encode trees of 
bounded depth using the function Sd'Td+i— defined by induction on d as 

8 d (*(tl-~tn)) = l e ifn = ' (4) 

I Sd-i(t\)d ■ ■ ■ Sd-i(t n )d otherwise. 

For instance, if we fix d = 1, the left tree in |Figure 2| is encoded as "111" and 
the right one as "0011". Note that the encoding depends on the choice of d: 
for d = 2 we would have encoded the trees in |Figure~2"1 as "222" and "1122", 
respectively. 

Not every string in is the encoding of a tree according to Sd- for — 1 < 
a < d, we let P a = (P a _i{et})* be the set of proper encodings of height a, with 
further P_ x = {e}. Then P = \j a<d P a is the set of proper words in A 
proper word x is either empty or belongs to a unique P a with a = h(x), and 
has then a canonical factorization of the form with every xj in 

P a -i- Put differently, a non-empty x = a\ ■ ■ ■ ag is in P a if and only if ag = h(x) 
and Oj+i — a, < 1 for alii < £ (we say that x has no jumps: along proper words, 
priorities only increase smoothly, but can decrease sharply). For example, 02 is 
not proper (it has a jump) while 012 is proper; 233123401234 is proper too. 

Given a depth a, we see that s a is a bijection between T a+ i and P a , with 
the inverse defined by 

r(e)=»Q, (5) 
t(x = Xih(x) ■ ■ ■ x m h(x)) = •(t(x 1 ) ■ ■ ■ r(x m )) . (6) 



4.2 Strong Tree Embeddings 

One can provide a formal meaning to the notion of a wqo (-B, =4b) being more 
powerful than another one (A, =4a) through order reflections, i.e. through the 
existence of a mapping r: A — > B such that r(x) =4b f(y) implies x =4a V for all 
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x, y in A. Observe that if B reflects A, i.e., there is an order reflection from A to 
B, and (B, =4b) is a wqo, then (A, =4 a) is necessarily a wqo. We show here that 
(£d> E P ) reflects bounded-depth trees endowed with the strong tree-embedding 
relation. 

Let t and t' be two trees in T$. We say that t strongly embeds into t' , written 
t Cr t' , if it can be obtained from t' by deleting whole subtrees, i.e. C T is the re- 
flexive transitive closure of the relation t t! <=> t = C[»{t\ ■ ■ ■ ti-iti+i ■ ■ ■ t n )\ 
and t' = C[»(ti ■ ■ ■ ■ • • t n )] for some context C and subtrees t\, . . . , t n . 

Strong tree embeddings refine the homeomorphic tree embeddings used in Kruskal's 
Tree Theorem; in general they do not give rise to a wqo, but in the case of 
bounded depth trees they do. The two trees in |Figure 2 are not related by any 



homeomorphic tree embedding, and thus neither by strong tree embedding. 

Observe that the leaf •() strongly embeds into any other tree: •() C T t for 
all t. Let us consider the extension operation "@" on trees, which is defined for 
7i > by 



• (*!•••*„) @t = •(h---t n t); (7) 



in particular, •() @t — •(£). Also observe that, if y is in P a and z in P a —i, then 

r(yza) = r(y) @ t(z) . (8) 
Finally observe that C T is a precongruence for @: 

h Et t'i and t 2 C T t' 2 imply t x @ t 2 C T t[ @ t' 2 , (9) 

tn T t@t'. (10) 

Proposition 3. The function Sd is an order reflection from (TcI+i,Qt) to 

Proof. Let x and x' be two proper words in Pd with x C p x'; we show by 
induction on x that t(x) C t t(x'). If x is empty, then x C p requires x' = x 
Otherwise, we consider the canonical factorization x = x\d ■ ■ ■ x^dzd for k > 0. 
Writing y = X\d- ■ -x^-d, by (|3|, a;' = y'z' with y C p y' and z<i C p z' where y' 
and z' are both in P&. The canonical factorization of z' as • • z' m d yields 
z C p z[ with zj in Pd-i, as there is no other way of disposing of the other 
occurrences of d in z' . Then 

r(x) = r(y) @ r(z) (by 
C T @ r(4) (by ind. hyp. and d9 



C T r(y') @ r(4) @ • • • @ r(^) (by ( 10 )) 



Corollary 1. For each d, (T^, Qr) w o wgo. 
4.3 Further Applications 

As stated in the introduction to this section, our main interest in strong tree 



embeddings is in connection with structural orderings of ordinals; see Section 6 
Bounded depth trees are also used in the verification of infinite-state systems 
as a means to obtain decidability results, in particular for tree pattern rewrit- 



ing systems (Genest et al. 2008) in XML processing, and, using elimination 



trees (see Ossona de Mendez and Nesetfil 2012), for bounded-depth graphs 
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used e.g. in the verification of ad-hoc networks (Delzanno et al. 2010), the ir- 
calculus ((Meyer 2008), and programs (Bansal et al. 2013). These applications 



consider labeled trees, which are dealt with thanks to a generalization of C p to 
pairs (a,w) where a is a priority and w a symbol from some wqo (r, <); see 
A PP .|D] 

This generalization of C p also allows to treat another wqo on trees, the 
tree minor ordering, using the techniques of Gupta (1992) to encode them in 
prioritized alphabets. The tree minor ordering is coarser than the homeomorphic 
embedding (e.g. in Figure 2 the left tree is a minor of the right tree), but the 
upside is that trees of unbounded depth can be encoded into strings. 

The exact complexity of verification problems in the aforementioned models 



is currently unknown (Genest et al. 2008 Delzanno et al. 2010 Meyer 2008 



Bansal et al. 2013). Our encoding suggests them to be F £o -complete. We 



hope to see PCS Reachability employed as a "master" problem for F eo for such 
results, like LCS Reachability for , which is used in reductions instead of 
more difficult proofs based on Turing machines and Hardy computations. 



5 Fast- Growing Upper Bounds 

The verification of infinite-state systems and WSTSs in particular turns out 
to require astronomic computational resources expressed as subrecursive func- 



tions (Lob and Wainer 1970 Fairtlough and Wainer 1998) of the input size. 



We show in this section how to bound the complexity of the algorithms pre- 
sented in |Scction 2.3| and classify the Reachability and Inevitability problems 
using fast-growing complexity classes (Schmitz and Schnoebelen 2012 1. 



5.1 Subrecursive Hierarchies 

Throughout this paper, we use ordinal terms inductively defined by the following 
grammar 

(ft 9) a,/3, 7 ::= | uj a | a + (3 

where addition is associative, with as the neutral element (the empty sum). 
Equivalcntly, we can then see a term other than as a tree over the alphabet 
{+}; for instance the two trees in Figure 2 represent 3 and lo 2 + 1 respectively, 
when putting the ordinal terms under the form a — ^.- = i w ai ■ Such a term is 
if k — 0, otherwise a successor if otk = and a limit otherwise. We often write 
1 as short-hand for u>° , and w for to 1 . The symbol A is reserved for limit ordinal 
terms. 

We can associate a set-theoretic ordinal o(a) to each term a by interpreting 
+ as the direct sum operator and u> as N; this gives rise to a well-founded quasi- 



ordering a < P <S4> o(a) < o(/3). A term a = £7 



is in Cantor normal form 



(CNF) if o.\ > ui > ■ ■ ■ > ctk and each on is itself in CNF for i = 1, . . . , k. Terms 
in CNF and set-theoretic ordinals below Eq are in bijection; it will however be 



convenient later in Section 6 to manipulate terms that are not in CNF. 

With any limit term A, we associate & fundamental sequence of terms (A„) n gN, 
given by " 



(7 + ^ +1 ), 
(7 W), 



7 + uj 13 H hw 







(11) 
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This yields Ao < Ai < • • • < A„ < • • • < A for any A, with furthermore A = 
lim ng NA n . For instance, Lu n = n, (u> u ) n = w n , etc. Note that A„ is in CNF 
when A is. 

We need to add a term e to fi to represent the set-theoretic eo, i.e. the 
smallest solution of x = oj x . We take this term to be a limit term as well; we 
define the fundamental sequence for £o by (eo)« = f^m where for n G N, we use 
fl n as short-hand notation for the ordinal 10^ }«, stacked w's^ j e ^ f or ^ if? ^ 
and = up"" . 



Inner Recursion Hierarchies Our main subrecursive hierarchy is the Hardy 
hierarchy. Given a monotone expansive unary function h: N — > N, it is defined 
as an ordinal-indexed hierarchy of unary functions (h a :N — » N) a through 

h°(n) = n , h a+1 {n) = h a {h{n)) , h x (n) = /i A »(n) . 

Observe that h 1 is simply h, and more generally h a is the ath iterate of h, using 
diagonalisation to treat limit ordinals. 

A case of particular interest is to choose the successor function H(n) = n + 1 
for h. Then the fast growing hierarchy (F a ) a can be defined by F a = H u , 
resulting in F (n) = H 1 ^) = n + 1, Fi(n) = H u {n) = H n {n) = 2n, F 2 (n) = 
H u (n) — 2 n n being exponential, F 3 = being non-elementary, F u = 
being an Ackermannian function, F^k a fc-Ackermannian function, and F eg = 



H £ "oH a function whose totality is not provable in Peano arithmetic (Fairtlough 



andWainer 1998 1 . 



Fast-Growing Complexity Classes Our intention is to establish the li F £o 
completeness" of verification problems on PCSs. In order to make this statement 
more precise, we define the class F eo as a specific instance of the fast-growing 
complexity classes defined for a > 
App. B) ' 



3 by (see Schmitz and Schnoebelen 2012 



F Q == |J DTiME(F a (p(n))) 
& a = (J FDTime^H) , 



(12) 
(13) 



where the class of functions & a as defined above is the ath level of the ex- 



tended Grzegorczyk hierarchy (Lob and Wainer 1970) when a > 2; in particu- 
lar, U a <e ^ a ^ s exac tly the set of ordinal-recursive (aka "provably recursive") 



functions (Fairtlough and Wainer 1998). 



The complexity classes F a are naturally equipped with 1J^ <Q ^3 as classes of 
reductions. For instance, is the set of elementary functions, and F3 the class 
of problems with a tower of exponentials of height bounded by some elementary 
function of the input as an upper boundj^] 

3 Note that, at such high complexities, the usual distinctions between deterministic vs. 
nondcterministic, or time-bounded vs. space-bounded computations become irrelevant. 
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5.2 Complexity Upper Bounds 



Recall that an alternative characterization of a wqo (X, =4) is that any sequence 
xq,x±,X2, ■ ■ ■ over X verifying xi ^ Xj for all i < j is necessarily finite. Such 
sequences are called bad, and in order to bound the complexity of the algorithms 
from |Thm. 2| we are going to bound the lengths of bad sequences over the wqo 
(Conf s , <#) using the Length Function Theorem of (Schmitz and Schnoebelen 



2011). 



Let us explain the steps towards an upper bound for Termination in some de- 
tail; the results for Reachability and Inevitability are similar but more involved — 
see ( Schmitz and Schnoebelen 2012 1 for generic complexity arguments for WSTSs. 



A Finite Witness Observe that, if an execution Co — C\ — C2 — !># • ■ ■ 
of the transition system S# verifies Cj <# Cj for some indices i < j, then 
because S# is a WSTS, we can simulate the steps performed in this sequence 
after Cj but starting from Cj and build an infinite run. Conversely, if the system 
does not terminate, i.e. if there is an infinite execution Co — C\ — C2 — 
• • • , then because of the wqo we will eventually find i < j such that C\ <# Cj. 
Therefore, the system is non-terminating if and only if there is a finite witness 

of the form Co — ># Ci — Cj with C <# Cj. 



Controlled Sequences Another observation is that the size of successive 
configurations cannot grow arbitrarily along runs; in fact, the length of the 
channels contents can only grow by one symbol at a time using a write transition. 
This means that if we define |C = (g, x\, . . . , x m )\ — Y2j=i \ x j\' then in an 
execution C ^ # C x ^# C 2 ^ # • • • , \C t \ < |C | +i = WQCqD, i.e. any 
execution is controlled by the successor function H. 



Maximal Order Type The last ingredient we need is a measure of the com- 
plexity of the wqo ( Conf s , <#) called its maximal order type, which can be de- 
fined as the ordinal of its maximal linearization. We can bound Od, the maximal 
order type of (Tig, C p ), by induction on d: o_i = 1, and Od < -Od-\-Od-\-d 
using the order reflection implicit in the proof of Thm. 3 (see App. [E] for de- 
tails). Therefore, the maximal order type 05 of (Conf s ,<#) is bounded by 

owr • iqi- 



Applying the Length Function Theorem Then, using the uniform up- 
per bounds of (Sc hmitz and Schnoebelen| |2011[ ), the maximal length of a bad 
execution in S# is bounded by /i° s (|Co|) for a fixed polynomial h. Setting 
\S\ = |A| + \Q\+d + m, we see that this length is less than H £o (p(\S\ + \C \)) 
for some fixed ordinal-recursive function p. 



A Combinatory Algorithm Because the functions (h a ) a are space-constructible 
whenever h is, the above discussion yields a non-deterministic algorithm in F eo 
for Termination: compute L = h° s (|Co|) and look for an execution of length 
L + 1 in S#. If one exists, it is necessarily a witness for nontermination; other- 
wise, the system is guaranteed to terminate from Co. 

We call this a combinatory algorithm, as it relies on the combinatory analysis 
provided by the Length Function Theorem to derive an upper bound on the size 
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of a finite witness for the property at hand — here Termination, but the same 
kind of techniques can be used for Reachability and Inevitability: 

Theorem 4 (Complexity of PCS Verification). Reachability and Inevitability 
of PCSs are in F £o . 



6 Hardy Computations by PCSs 



In this section we show how PCSs can weakly compute the Hardy functions H a 
and their inverses for all ordinals a below f2, which is the key ingredient for 
Thm. 5 For this, we develop (Section 6.1) encodings s(a) £ for ordinals 



a £ Sid and show how PCSs can compute with these codes, e.g. build the code 



for X n from the code of a limit A. This is used (Section 6.2) to design PCSs that 
"weakly compute" H a and (P Q ) _1 in the sense of Dcf.|l| below. 



6.1 Encoding Ordinals 



Our encoding of ordinal terms as strings in is exactly the encoding of trees 



presented in Section 4 For < a < d, we use the following equation to define 
the language P a C T, d of proper encodings, or just codes: 



Pa = e + P a Pa~ia . 



(14) 



p 



' 



Prf. Each P a (and then P itself) is a regular language, 

0*. 



Let P = P_i 

with P a = (P a _ia)* as in Section 4 for instance, Pq 



Decompositions A code x is either the empty word e, or belongs to a unique 
P a . If x £ P a is not empty, it has a unique factorization x = yza according 



to (14) with y £ P a and z £ P a -i- The factor z £ P a -i in x = yza can be 
developed further, as long as z ^ e: a non-empty code x £ Pd has a unique 
factorization as x — yd yd-\ ■ ■ ■ Da a ~d with y^ £ Pi for i = a, ■ ■ ■ , d, and where 
for < a < b, we write a^b for the staircase word a(a + 1) • • • (6 — l)b, letting 
a"b = e when a > b. We call this the decomposition of x. Note that the value 
of a is obtained by looking for the maximal suffix of x that is a staircase word. 
For example, x — 23312340121234 £ P4 is a code and decomposes as 

2/4 j, 3 J/2 

x = 2331234 / "e" N 012 



Ordinal Encoding Following the tree encoding of |Scction 4} with a code 
x £ P, we associate an ordinal term n(x) given by 

V (e)=0, n(yza) d ^ n(y) + oj^) , (15) 

where x — yza is the factorization according to |l4"| ) of x £ P a \ {s}. For 
example, 77(a) = uj° = 1 for all a £ S^, 77(012) = t?(234) = ui u , and more 
generally 77(0^6) = f4_ a . One sees that 77(2;) < Cl a +i when x £ P a . 

The decoding function 77: P — > £ld+i is onto (or surjective) but it is not 
bijective. However, it is a bijection between P a and f2 Q +i for any a < d. Its 
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converse is the level-a encoding function s a : f2 a +i — * -Pa, defined with 

p 

Sq (X! 71 ) ^ Sa (T!) ' ' ' s a(7 P ) . s a (w Q ) = s _i(a) a . 

i=l 

Thus s a (0) = s(J2 0) = e and, for example, 

s 5 (l) = 5, s 5 (3) = 555, s 5 H=45, 

s 5 (w 3 )= 4445, s 5 (w w ) = 345 > s 5 (w"") = 2345, 

s 5 (uj 3 + cj 2 ) = 4445445 , s 5 (w • 3) = 454545 . 

We may omit the subscript when a — d, e.g. writing s(l) = d 

Successors and Limits Let x = yd Ud-i ■ ■ -Ua^d be the decomposition of 
x € Pd \ e. By ( 15 ), x encodes a successor ordinal rj{x) = + 1 iff a = d, i.e., if 
x ends with two d's (or has length 1). Since then /3 = rj{yd ■ ■ ■ y a ), one obtains 
the "predecessor of x" by removing the final d. 

If a < d, x encodes a limit A. Combining (111 and (15), one obtains the 
encoding (x) n of A„ with 

(x) n ^y d yd-i---ya+i{y a {a + l)) n {a + 2)^d. (16) 

4 

E.g., with d — 5, decomposing x — 333345 — s(ui u ) gives a = 3, x = y^y^y^i^h, 
with y 3 = 333 and y$ = y± = e. Then (x) n = (3334)™5, agreeing with, e.g. 
s{^ 3 - 2 ) = 333433345. 

Robustness Translated to ordinals, Prop.[3]means that, whenever x<#x' for 
x,x' G P a , then the corresponding ordinal rj[x) will be "structurally" smaller 
than rj(x'). This in turn yields that the corresponding Hardy function H 71 ^ 
grows at most as fast as H v< - X ); see App.[c]for details: 

Proposition 4 (Robustness). Let a > and x,x' E P a . If x <# x' then 
H^ x 1(n) < H^ x '\n') for all n < n' in N. 

6.2 Robust Hardy Computations in PCSs 



Our PCSs for robust Hardy computations use three channels (see Figure 3 1, 
storing (codes for) a pair a, n on channels o (for "ordinal") and c (for "counter"), 
and employ an extra channel, t, for "temporary" storage. Instead of S^, we 
use with d + 1 used as a position marker and written $ for clarity: each 

channel always contains a single occurrence of $. 



o: 334545$ the ordinal term 



c : 0$ the counter value 4 



t : $ the temporary storage 

Figure 3: Channels for Hardy computations. 
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Definition 1. A weak Hardy computer for Sld+i is a (d+l)-PCS S with channels 
Ch = {o, c, t} and two distinguished states Pbeg and p C nd such that: 



if (pbeg, X$, y$, Z$) (Pend, U, V, w) 

then a; € P<2, y € + , z — e and u,v,w € SJ$ , 



(safety) 



if (p bog , a(a)$, 0™$, $) 4 W (p cnd , s(/3)$, m $, $) froWn^ 
then H a (n) > H p { m) . 

Furthermore S is complete if for any a < fld+i and n > it has runs (pbeg, s(a)$, 0"$, $ 
(Pcnd, $7 m $, $) where m = H a (n), and it is inv-complete if it has runs (pbag, $, m $, $) 
(p c „d,s(a)$,0"$,$). 



In the rest of |Scction 6.2 we prove the following 



Lemma 3 (PCSs weakly compute Hardy functions). For every d € N, there 
exists a weak Hardy computer Sd for £ld+i that is complete, and a weak S' d that 
is inv-complete. Furthermore S d and S d can be generated uniformly from d. 

We design a complete weak Hardy computer by assembling several com- 
ponents. Our strategy is to implement in a PCS the canonical Hardy steps, 
denoted with and specified by the following two rewrite rules: 

(a + 1, n) — > (a, n.+ l) for successors, (17) 

(A,n) ^¥ (A„,n) for limits. (18) 

6.2.1 Successor Steps 



We start with "canonical successor steps" , as per ( 17 1 . They are implemented by 



Si, the PCS depicted in Figure 4 When working on codes, replacing s(a + 1) by 



s(a) simply means removing the final d (see Section 6.1 ), but when the strings 
are in fifo channels this requires reading the whole contents of a channel and 
writing it back, relying on the $ end-marker. 

c?!0 

o?.xeP d _o?d_ o?!$Ac!0_ c?!$ 



®o ax fc r& _ o < d „ on /-n c ! U _ c»l ^-v 



H 



Figure 4: Si, a PCS for Hardy steps (a + 1, n) — > (a, n + 1) 



Rema rk 4 (Notational/graphical conventions). The label edge "q^iq v in Fig- 

c ?0 c'O 

ure 4 with c?!0 as label, is shorthand notation for "g— >o— +q", letting the 

intermediary state remain implicit. We also use meta-rules like p — ' > o" 

above to denote a subsystem tasked with reading and writing back a string x 
over o while checking that it belongs to Pd] since Pd is a regular language, such 
subsystems are trivial to implement. 

We first analyze the behavior of Si when superseding of low-priority messages 
does not occur, i.e., we first consider its "reliable" semantics. In this case, 
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starting S\ in state p performs the step given in (17 1 for successor ordinals. 
More precisely, Si guarantees 



(p, s(a + 1)$, 0™$, $) A rc i (r, u,v,w) (iq s 
iff u = s(a)$ A v = 0™ +1 $ A w = $ . 1 J 



Note that ( 19 ) refers to "— > rc i" , with no superseding. 

Observe that Si has to non-deterministically guess where the end of s(a) 
occurs before reading d$ in channel o, and will deadlock if it guesses incorrectly. 
We often rely on this kind of non-deterministic programming to reduce the size 
of the PCSs we build. Finally, we observe that if x does not end with dd (and is 
not just d), i.e., if r)(x) is not a successor ordinal, then Si will certainly deadlock. 

nc?0_c?0l A o!!i6ft old _ o?!$ A 

Figure 5: S2, a PCS for inverse Hardy steps (a, n + 1) — > (a + 1, n). 
We now consider S2, the PCS depicted in |Figurc 5| that implements the 

zj-l 

inverse canonical steps (a,n + 1) — > (a + l,n). Implementing such steps on 
codes is an easy string-rewriting task since s(a + 1) = s(a)d, however our PCS 
must again read the whole contents of its channels, write them back with only 
minor modifications while fulfilling the safety requirement of Def. [I] When 
considering the reliable behavior, S2 guarantees 



(p, x$, y$, $) A rcl (r,u,v,w) 

x € Pd, y = n+1 for some n, (20) 
u = s(t](x) + 1)$, v = 0"$, and w = $ . 



iff 



Consider now the behavior of S± when superseding may occur. Note that a 
run (p, x$, y$, z$) — > w (r, . . .) from p to r is a single-pass run: it reads the whole 
contents of channels o and c once, and writes some new contents. This feature 
assumes that we start with a single $ at the end of each channel, as expected 
by Si- For such single-pass runs, the PCS behavior with superseding semantics 
can be derived from the reliable behavior: for single-pass runs, C A w D iff 
C 4 re i D' >#D for some D' , 



Combined with (19 1, the above remark entails robustness for S±: (p,s(a + 
1)$, 0"$, $) A w (r, s(/3)$, 0™'$, $) iff s(/3) < # a (a) and 0™'$ < # 0" +1 $, i.e., ri < 
n+ 1. With Prop.|4| we deduce H p (n') < H a {n). 

The same reasoning applies to S2 since this PCS also performs single-pass 
runs from p tor, hence (p, s(a)$, 0"$, $) A w (r, s(/3)$, 0"'$, $) iff s(/3)<#s(a+l) 
and n' < n - 1. Thus ff^(n') < H a (n). 

6.2.2 Limit Steps 



Our next component is S3, see Figure 6 that implements the canonical Hardy 



steps for limits from (18). The construction follows (16): £3,0 reads (and writes 
back) the contents of channel o, guessing non-deterministically the decompo- 
sition ya... y a+ iy a a(a + l)~d of s(A), it writes back y d . . ■ y a +i and copies y a 
on the temporary t with a + 1 appended. Then, a loop around state q a copies 
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O n from and back to c. Every time one is transferred, the whole contents of 
t, initialized with y a (a + 1), is copied to o. When the loop has been visited 
n times, Ss ja empties t and resumes the transfer of s(A) by copying the final 
(a + 2)"d. 



For clarity, Ss^ a as given in Figure 6 assumes that a is fixed. The actual 



S3 component guesses non-deterministically what is the value of a for the s(A) 
code on o and gives the control to £3^ accordingly. 

o V //,/•••//„ .. 1 P.,---P. H i\ fo?!(a + 2)~d$ 



oly a e P a ; t!» J Tt?!$ 

o 

o?o(o + l) ; t!(o + l)J tt?u 



^ / 

,?.u$; o!u^| c?!( 



Figure 6: S 3 , a , a PCS for Hardy steps (A, n) ^ (A„, n). 

As far as reliable steps are considered, S3 guarantees 

(p, s(a)$, n $, $) A rc i (r, u,v,w) 
iff a £ Lim, u — s(a n )$, v — 0"$, and w = $ . 



(21) 



If superseding is allowed, a run (p a , s(a)$, 0™$, $) A w (r a , u, v, w) has the form 

(p„, s(a)$, 0"$, $) A w C = ( 9o , (a + 2)~d$x , n $, z $) 

Ci - (g„,(a + 2)^d$a; 1 ,0 n - 1 $«i,z 1 $) A w • • • 
A w C„ = (g a , (a + 2)~d%x n , %v n ,z n %) A w (r a , x' n %, v' n %, $) 

where Ci = (q a , (a + 2)^d$Xi, n ~' l $Vi, z,$) occurs when state g a is visited for 
the i-th time. Since the run is single-pass on c, we know that CP for all 

i = 0, . . . , n. Since it is single-pass on o, we deduce that xq <# yd ■ ■ ■ Va+i, then 
<# XiZi for all i, and finally x' n <# x„(a + 2)~d, with also Zo <# 2/a(a + !)• 
Finally z i+ i ^ since each subrun C, A w Cj+i is single-pass on t. 

All this yields x' n <# s(A n ) and v' n <# 0™. Hence £3 is safe and robust: 
(p,s(a)$,0"$,$) A w (r,s(/3),0"'$,$) iff a € Lim, s(/3) < # s(a„) and ra' < ra, 
entailing H p (n') < H a (n). 



There remains to consider S4, see Figure 7"| the PCS component that imple- 



ments inverse Hardy steps for limits. For given a < d, S^a assumes that channel 
o contains s(A„) = y d . . . y a +i[y a ( a + l)]"( a + 2)~d, guesses the position of the 
first y a (a + 1) factor, and checks that it indeed occurs ra times if c contains 0". 
This check uses copies Zi, z%, ■ ■ ■ of y a (a + 1) temporarily stored on t. Then S4 
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writes back s(A) = yd ■ ■ ■ y a +iza~d on o, where z(a+l) — z n . The reader should 
be easily convinced that, as far as one considers reliable steps, S4 guarantees 



(p, s(a)$, 0"$, $) A rcl (r,u,v,w) iff 
3A G Lira : a = A n , u = s(A)$, w = 0™$, and w = 

Q 

o?.y d ---y a +i e P d ---P a +i\ fo?!(a + 2)' 

6 o 

o?y a G P a ; t\y a I tt?!$ 



(22) 



oT(- + l):tl(a + l)J [V^tlM 
;?!$ c?!0$ 

I la ) 



.?.u$; o?u^j c?!( 



Figure 7: Si <a , a PCS for inverse Hardy steps (A n ,n) — s- (A, n). 

When superseding is taken into account, a run from p to r in £4 has the 
form (p, s(a)$, 0™$, $) — > w Ci — > w C2 — > w • • • C„ — > w (V) u, w) where, for 
i = 1, . . . , n, Ci is the z-th configuration that visits state g a . Necessarily, Cj is 
some (q a , Xi$x, n ~''0$v il Zj$). The first visit to g a has x <# 2/d ■ ■ ■ 2/a+i> z \ 
y a (a + 1) and v\ = e, the following ones ensure Xi = ZiXi+i, Zi + \ Zi and 
<# WjO. Concluding the run requires x n = (a + 2)"d. Finally u 0™$, 
s(/3) = yd - ■ ■ y a +i{a+l)zi . . . z n ^i(a + 2)~d and u<#y d - ■■ y a +iza~d for z(a + 
1) = Zn <# Zn-i ' ' ' z 2 <# £1 <# 2/o( a + !)■ Thus u = s(/3)$ and u = 0™ $ 
imply s(/3) <# s(A) for some A with s(A n ) <# s(a), yielding H@(n') < H x (n) = 
H x ™(n) < H a (n). 

6.3 Wrapping It Up 

With the above weak Hardy computers, we have the essential gadgets required 
for our reductions. The wrapping-up is exactly as in ( jHaddad et al.| |2012| 



Schnoebelen 2010a) (with a different encoding and a different machine model) 



and will only be summarily explained. 

Theorem 5 (Verifying PCSs is Hard). Reachability and Termination of PCSs 
are F £o -hard. 

Proof. We exhibit a LogSpace reduction from the halting problem of a Turing 
machine M working in F £o space to the Reachability problem in a PCS. We 
assume wlog. M to start in a state pg with an empty tape and to have a single 
halting state ph that can only be reached after clearing the tape. 

Figure [8] depicts the PCS S we construct for the reduction. Let n = \M\ 
and d = n + 1. A run in S from the initial configuration to the final one goes 
through three stages: 
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o ! 0~d$ q q o ? CT 

c ! 0"$ 1 2 c ? 0" 



©simulate s — x ! 
M with fph )-»-( 
budget B V_y <i 



t ? 



S4 



Q d ,n 0,B 



o,s' 

Figure 8: Schematics for 



? # ■ ' ■ — ^# 



Thm. 5 



1. The first stage robustly computes F eo (|M|) = H Qd (n) by first writing 
s(f2d)$ = CPd$ on o, n $ on c, and $ on t, then by using Si and S3 to 
perform forward Hardy steps; thus upon reaching state po, o and t contain 
$ and c encodes a budget B < F Ea (\M\). 

2. The central component simulates M over c where the symbols act as 
blanks — this is easily done by cycling through the channel contents to 
simulate the moves of the head of M on its tape. Due to superseding steps, 
the outcome of this phase upon reaching ph is that c contains B' < B 
symbols 0. 

3. The last stage robustly computes (F eo )~ 1 (B l ) by running S 2 and S4 to 
perform backward Hardy steps. This leads to o containing the encoding of 
some ordinal a and c of some n', but we empty these channels and check 
that a — VLd and n' = n before entering state qh- 

Because 

H Qd (n) > B > B' > H a (n') = H nd (n) , (23) 

all the inequalities are actually equalities, and the simulation of M in stage[2]has 
necessarily employed reliable steps. Therefore, M halts if and only if (qh, e, e, e) 
is reachable from (qo, e, e, e) in S. 

The case of (non-)Termination is similar, but employs a time budget in a 
separate channel in addition to the space budget, in order to make sure that 
the simulation of M terminates in all cases, and leads to a state q^ that is the 
only one from which an infinite run can start in S. □ 



7 Concluding Remarks 



We introduced Priority Channel Systems, a natural model for protocols and 
programs with differentiated, prioritized asynchronous communications, and 
showed how they give rise to well-structured systems with decidable model- 
checking problems. 

We showed that Reachability and Termination for PCSs are F eo -complete, 
and we expect our techniques to be transferable to other models, e.g. models 
based on wqos on bounded-depth trees or graphs, whose complexity has not 



been analyzed (Genest et al. 2008 Delzanno et al. 2010 Meyer 2008 Bansal 



et al. 20131. This is part of our current research agenda on complexity for 



well-structured systems (Schmitz and Schnoebelen 2011) 



In spite of their enormous worst-case complexity, we expect PCSs to be 



amenable to regular model checking techniques a la ( Abdulla and Jonsson 1996 
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Boigelot and Godefroid 1999). This requires investigating the algorithmics of 
upward- and downward-closed sets of configurations wrt. the priority ordering. 
These sets, which are always regular, seem promising since C p shares some 
good properties with the better-known subword ordering, e.g. the upward- or 
downward-closure of a sequence x £ can be represented by a DFA with |x| 
states. 
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A Proof of Prop. [T] 



Let S — (Ed, Ch, Q, A) be a d-PCS. Recall that its behavior under write- 
superseding policy is given by S w — (Conf s , — > w ), while its behavior under 
internal-superseding policy is given by S# = (Confg, —>#)■ 

Lemma 4 (From S w to <S#). If S w has a run C A™ D then S# has a run 
C^ # D. 

Proof. We show that — )> w is contained in — >#, assuming for the sake of simplicity 
that S has only one channel. 

A writing step (p, x) A w (g, y) with x — zbi ■ ■ -bj and y = za in S w 
can be simulated in <S# with (p, x) A# (q, zbi ■ ■ ■ bjO) (g, zbibj-i) ^ \ # 

■ ■ ■ ^ k+ \ # (g, za), where £ = \x\ and k = \z\. Reading steps simply coincide in 
S w and <S#. □ 

In the other direction, one can translate runs in <S# to runs in S w as stated 
by following lemma. 

Lemma 5 (From to <S W ). If S# has a run C A# D then S w has a run 
C A w D for some C < # C. 

(In particular, if the channels are empty in C , then necessarily C = C and 
C^ W D.) 

Proof. Again we assume that S has only one channel. 

Write the run C — >•# D under the form Co — Ci — Y# ■ ■ ■ —Y# C„ and 
rearrange its steps so that superseding occurs greedily. This relies on Lemma [6] 
stated just below. 

Repeatedly applying Lemma 6] to transform C A# C„ as long as possible 
is bound to terminate (with each commutation, superseding steps are shifted 
to the left of reliable steps, or the sum J^. hi of superseding positions in steps 



— - C increases strictly while being bounded by 0(n 2 ) for a length 
run) . One eventually obtains a new run Co — ># C„ with same starting and final 
configurations, and where all the superseding steps occur (at the beginning of 
the run or) just after a write in normalized sequences of the form 

\a #t #1-1 #1-2 #l-r „, 

C = (q, x) >#^# ># C , (24) 

where furthermore I = \x\. In this case, S w has a step C A w C. 

Greedily shifting superseding steps to the left may move some of them at the 
start of the run instead of after a write: these steps are translated into C># C 
in Lemma [5j Finally, the steps that are not in normalized sequences are reading 
steps which exist unchanged in S w . □ 

Lemma 6 (Commuting #-steps). 

1. If Ci A# Ci ^-># C3 then there is a configuration C' 2 s.t. C\ ^ k+ \ ^ 
C 2 ^ # C". 



n 



i 



2. C\ — (q,x) A# C*2 — ># C3 wii/i /c < \x\, then there is a configuration C' 2 
s.t. C\ C' 2 A # C 3 . 

5. I/Ci = (g, a;) — C2 C*3 ki < k 2 then there is a configuration 



C 2 s.t. d ^±i # C 2 ^ # C" 



B PCSs and LCSs 



It is easy to see that Priority Channel Systems are at least as expressive as 
Lossy Channel Systems, and even the Dynamic Lossy Channel Systems (DLCS) 



recently introduced by Abdulla et al. (2012). 



Furthermore, if we adopt the strict superseding policy described in Remark[T] 
PCSs can even simulate reliable channel systems, a Turing-powerful model. 
Since the two simulations are very similar, we start our presentation with the 
simpler one. 



B.l Simulating Reliable Channels by "Strict Supersed- 
ing" PCSs 



S : S': 

(pi) > (P2) — — MPs) (piH-^O — >• ^h^O — 



Figure 9: Simulating reliable channels with "strict" PCSs. 



A channel system S with reliable channels uses a finite (un-prioritized) alpha- 
bet E = {ao, . . . , a p _i} and is equipped with m "standard" channels ci, . . . , c m . 
We simulate S with a PCS S' having the same m channels and using the 
priority alphabet with d — p. We use d G E^ as a separator, denoted $ for 
clarity, while the other priorities i = 0, . . . ,p— 1 represent the original messages 
(Zj. A string w = . . . a in in E* will be encoded as w = i\ $ . . . i n $ € E^ when 
in S', see Figure 9 for the construction. 

With the strict superseding policy, the only superseding that can occur is 
to have $ overtake and erase a preceding i < $. This results in a channel 
containing two (or more) consecutive $, a pattern that can never disappear in 
this simulation and that eventually forbid reading on the involved channel. In 
particular, any run of S' that reaches C en d = (<?end,£, •••>£) has not used any 
(strict) superseding and thus corresponds to a run of S. 

With this reduction one sees that reachability is undecidable for PCSs with 
the strict superseding policy considered in Remark [T] 



B.2 Simulation Dynamic LCSs by PCSs 

A DLCS S has E = {ao, . . . , a p -i} and Ch = {ci, . . . , c m } as above. It also has 
a second-order channel cq that is a fifo buffer of sequences over E, i.e. of channel 
contents. Transition rules may read and write from standard channels with the 
usual "cj!ai" and "cj?a^" operations. Rules may also append a complete copy of 
a channel contents to the second-order channel with a "Hey operation, or read 
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a channel contents from Co with "7?c/': this replaces the contents of Cj with the 
sequence read from Co . On top of this behavior, the system is unreliable, "lossy" , 
and messages inside the channels may be lost nondeterministically. Inside the 
second-order cq, whole sequences may be lost as well as individual messages 
inside sequences. These are two different losing modalities, in the first case c 
ends up containing less sequences, in the second case it ends up with shorter 
sequences. 

Our simulation of a DLCS S with a PCS S' uses m+1 channels and a priority 
alphabet having level d = p + 1. Since in this simulation p,p + 1 G are 
used as markers, we denote them with the special symbols $ and £. Hence 
£ > $ > i for i = 0, . . . ,p — 1. A sequence w € S* is be represented by w as 
in the previous simulation. A sequence Wi, . . . , w n stored in the second-order 
channel of S will be represented by w\£ . . . Wn£ in S': see Figure 10 



Cj : a 3 ai a 2 ai 

c : (oi a 3 ) (02) 

c?(V 

, P2 ) ■ »•( 92 

!! c. 



S' 



3 $ 1 $ 2 $ 1 ^ 



Co: 1$3$££2$£ 



c 1 $ ; c ! $ 

c ! £ & c ? £ _ c ! i 



►o- 



C .1 I ; Cq ' Z 



•Ai ^ c!$ 

— C0?$;c! < 

o n ^>-^A c ! £ _ c ? £ JJco ? £ 

C0?^Ci(P4) >0 



» c?i' _ c?$ /^~\ 

Figure 10: Simulating DLCSs with PCSs. 



Co f 1 ; c ! i 



When defining 5' graphically, we use some shorthand notation (e.g. "c?!a;" 
to read and write back a symbol x in a single step) explained in Remark [4] 
Going further, higher-order lossy channel systems — DLCSs being "second-order 
LCSs" — can also be simulated by suitably adding new high-priority separators. 

One can tighten these simulations to use fewer priorities by encoding the 
messages a , . . . , a p _i as fixed length binary strings over {0, 1} followed by a 
S separator. Then the prioritized alphabet {0,1,$,£} suffices, and {0,1,$} is 
enough for LCS. In the case of weak LCSs where the set of messages is linearly 
ordered (say ao < a\ < ■ ■ ■ < a p _i) and where, in addition to message losses, 
any message can be replaced by a lower message inside the channels, we can 
further tighten this to {0, $} with a unary encoding of message a* as 0*$. 

Since this simulation preserves reachability (modulo the encoding of con- 
figurations) and termination, we conclude that verifying safety and inevitabil- 
ity properties of PCSs must be at least as hard as it is for LCSs, i.e., F^- 
hard (Chambart and Schnoebelen 2008 Schmitz and Schnoebelen 20111. We 



also conclude that repeated control-state reachability (and several other prob- 



lems, see (Schnoebelen 2010a)) are undecidable for PCSs since they are unde- 



cidable for LCSs. 
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C Hardy Computations 



We provide in this section some useful properties of the Hardy computations 



see (Fairtlough and Wainer 



or (Schmitz and Schnoebelen 



1998), (Schmitz and Schnoebelen 2011 App. C), 



2012 App. A) for details). 



C.l Properties of the Hardy Hierarchy 

The first fact is that each Hardy function is expansive and monotone in its 
argument n: 

Fact 1 (Expansiveness and Monotonicity, see e.g. [Ml Lem. C.9 and C.10). For 

all a, a' in Q and n > 0, m in N, 



n < H a (n) , 
n < m implies H a (n) < H a (m) 



(25) 
(26) 



However, the Hardy functions are not monotone in the ordinal parameter: 
H n+1 (n) = 2n+l > 2n = H n {n) = H u {n), though n+1 < uj. We will introduce 
an ordering on ordinal terms in Section |C.2| that ensures monotonicity of the 
Hardy functions. 

Another handful fact is that we can decompose Hardy computations: 



Fact 2 (see e.g. [Ml Lem. C.7). For all a, 7 in ft, and n in N, 

H~< +a (n) = H~<(H a (n)) . 



(27) 



Note that (27) holds for all ordinal terms, and not only for those a, 7 such that 



7 + a is in CNF — this is a virtue of working with terms rather than set-theoretic 
ordinals. 



C.2 Ordinal Embedding 

We introduce a partial ordering C G on ordinal terms, called embedding, and 
which corresponds to the strict tree embedding on the structure of ordinal terms. 
Formally, it is defined by a C Q j3 if and only if a — ui ai + ■ ■ ■ + ui ap , (3 = u^ 1 + 
■ ■ ■+uj l3m , and there exist i\ < 12 < ■ ■ ■ < i p such that a\ C A- • -Aa p C D f3 ip . 
Note that C D a for all a, that 1 C D a for all a > 0. In general, a % Q uj a 
and A n (2 A. This ordering is congruent for addition and w-exponentiation of 
terms: 

a C„ a' and /3 C Q ft imply a + f3 C a' + , (28) 
a \— a' implies u) a \— a ui a , (29) 

and could in fact be defined alternatively by the axiom C D a and the two 



deduction rules ( 28 1 and ( 29 ) 



We list a few useful consequences of the definition of C D : 

a C Q 7 + u/P implies a C D 7, or a = 7' + cu^ with 7' C D 7 and /?' C c j3 , (30) 

n < m implies A„ C G A m , (31) 

a C Q A implies a C„ A n , or a is a limit and a n Q A„ . (32) 
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Proof of ( 30 1 . Intuitively, there are two cases when we consider a C G a' — 
7 + ujP\ either the W 9 summand of a! is in the range of the embedding or not. 
If it is not, then already a C Q 7. If it is, then a must be some 7' + tu 13 and 
ujP \— w' 3 , which implies in turn (3' C G (3. □ 



Proof of (31 1. By induction on A: indeed if A = j + ui^ +1 then A m = 7 + cj^ - to, 
which is A„ + • (m — n). If A = 7 + oj x , the ind. hyp. gives A^ C Q X' m , hence 



A„ = 7 + w A " C 7 + w A ". = A m . □ 

Proof of (32 1. By induction on A. We can write A as some 7 + cj^ with /? > 
so that A n = 7 + (co l3 ) n . If a E D 7, then a C Q A„ trivially. If a = 7' + 1 
is a successor, 1 C Q and again a \— a A„. There remains the case where 

a = 7' +U 13 is a limit (i.e. (3' > 0) with 7' C D 7 and /?' C D /3. If /3 is a limit, then 
by ind. hyp. either /3' Q j3 n and hence a Q A„, or /?' is a limit and f3' n C D 
hence a„ C Q A„. Finally, if /3 = 5 + 1 is a successor, then either /3' C D 5 so that 
a C Q 7 + a/ C 7 + a/ ■ n = A„, otherwise by (30 1, (3' is a successor <5' + 1 with 
5' C D (5, and then (oj^ )„ = oj s ■ n\— u/ • n — (uP) n , hence a n \— a A„. □ 

Proposition 5 (Monotonicity). For all a, a' in f2 and n in N, 

a \— a' implies H a {n) < H a (n) . 

Proof. Let us proceed by induction on a proof of a C a', based on the deduction 
rules ( 28 ) and ( 29 ) . For the base case, C Q a' implies H° (n) = n < H a (n) by 
expansiveness. 

For the inductive step with (28), if a C G a' and (3 C (3' , then 



(by (27)) 



< H a (H f3 \n)) 

< H a '(H '(n)) 
= H a ' +l3 '(n) . 



(by ind. hyp. and (26)) 
(by ind. hyp.) 



(by (27)) 



For the inductive step with ( 29 ), if a C D a', then we show H u (n) < H u (n) 
by induction on a': 

• If a' — 0, then a — and we are done. 



• If 0/ = /3' + 1 is a successor, then by ( 30 1 either a C c /?', or a = j3 + 1 with 

/3 C„ /3'. In the first case, H u " (n) < H""' (n) < H Ji ' (H(n)) = H""' ' (n) 
by ind. hyp. and expansiveness. In the second case, we see by induction 
onieN that 



{H^)\n)< (H» P ') (n) 



for all i and n thanks to the ind. hyp. Thus H u (n) — I H' 



(33) 
(n) < 



H^ 1 (n) for all n, and we are done. 



• If a' = A' is a limit, then by ([32j either a C„ AJ, or a is a limit A and 
A n C Ki- I n the first case (n) < H u " (n) by ind. hyp.; in the second 
case (n) = H uXn (n) < H^" (n) = (n) using the ind. hyp. □ 
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C.3 Robustness 



Proposition 6 (Robustness). Let a > and x C p x' be two strings in P a . 
Then, H^ x \n) < H^ x '\n') for all n < n' in N. 

Proof. We prove that rj(x) C Q rj(x') by induction on x and conclude using 
Prop. [5] and Eq. ([26]). If x = e, rj{x) =0C o rj{x r ). Otherwise we can decompose 
x as yza according to (14) with y e P a and z € P a -i- By (j^f, %' — y'z'a 
with y C p ?/ and za C p z'a. Observe that y' and z' are in P a , and writing 



is in P a _i 



z^a for the canonical decomposition of z' — where necessarily each 
then z C p z[ as there is no other way of disposing of the other 
occurrences of a in z'. 

By ind. hyp., r](y) \— r/(y') and r](z) \— rj(z^). Then, because r/(x) = 

rj(y) + w''( z ) and r)(x') = r)(y') + uj r '^~> H h uj v{z ™\ we see by ([28]) and ([29]) 

that j](x) C Q i](x'). □ 



D Generalized Priority Embeddings 

Let d £ N be a priority level and let 7 = (p, <i)(o<i<«) be a family of wqos for 
some n > d, a generalized stratified level-d priority alphabet over 7 (generalized 
priority alphabet for brevity) is S(j,7 = {(o-,w) : < a < d, w G T a }. Informally 
speaking, such an alphabet consists of alphabet symbols from the r a such that 
each w € T a is paired with the priority level a. A particular case is the uniform 
one, where there exists a wqo (T, <) such that (p, <,) = (T, <) for all < i < n. 

Example 1. Letting T be a finite set of messages represented as strings and 
< the identity relation yields a uniform generalized priority alphabet where a 
priority can be assigned to each message. Such an alphabet underlies the wqo 
used for showing that planar planted trees are well-quasi-ordered under minors, 
c.f. Sec. |D.5| below. Another example is L = S* for some finite alphabet £ and 
where < is the substring embedding, which allows for representing unbounded 
messages on a lossy channel which are tagged with a priority level. 

As in the main part, we define the generalized priority embedding in two 
equivalent ways, via a string rewriting system and via factorisations. 

D.l Superseding Viewpoint 

We define the generalized priority relation over finite strings in as the 

transitive reflexive closure — »# -7 of the string rewriting system with the following 
two rules schemata 

(a, w)(a', w') ->-#, 7 (a',w') if a < a' , (34) 

(a,w) — >#, 7 (a, w') if w' < a w . (35) 

The induced ordering <#, 7 is now defined as x <#, 7 y^y — >#, 7 x. 
D.2 Embedding Viewpoint 

Given x, y € S^ 7 , we define the generalized priority embedding x C p 7 y as 

x y S x = (ai,Ui) ■ ■ ■ (a?, Vi) and y can be factored as y = 3/1(01, ^1)2/2(02, W2) ■ ..yi(ai, wi) 
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with i/i 6 £*. and < Qi u>^ for all 1 < i < This embedding relation is a 
quasi-ordering, which can be proved in the same way as in Lem. [I] 
The definition immediately yields the following properties: 

£ E P>7 y iff y = e, (36) 

xi C P , 7 2/i and x 2 C p7 ?/ 2 imply xix 2 C p , 7 yiy 2 , (37) 

£1^2 Ep, 7 V implies 3yi 3 p , 7 x x : 3y 2 3 P , 7 £2 : V = yiyi,38) 

v < a w implies (a, v) Q pn z(a,w) for all z € S* . (39) 

We first show that (E^ , Ep, 7 ) is a quasi-ordering. 

Lemma 7. Lei Sd ;7 6e a generalized priority alphabet. Then (£^ 7 ,C p , 7 ) is a 

Proof. Reflexivity follows obviously. Regarding transitivity, let x,y, z G Ed. 7 
be such that x C p7 y C p7 z and write x = (ai,tti) • • • (a^Wf). Since x E Pl7 
y, we can write y = yi(ai, t>i) • • • ye(ae, vt), where Ui < ai Vi and each yi = 
(bi,i,vi t i) ■ ■ ■ (b mi ,i,v mui ) € S*. )7 for all 1 < i < 1 Consequently, since y C p 7 z, 
we can decompose z as z = z\ (ai, Wi) • • • ^(a^, u^), where each Zj is of the form 

Zj = • • • z mit i(b miti , lU mi ,i)z-. 

Since each (bj t i,Wj t i) € E 0ii7 , by definition of C p>7 we have Zj € ^a il7 j hence 
the above decomposition of z yields x E P , 7 z. □ 

Moreover, <#, 7 and E P , 7 coincide, as shown by the next lemma. 

Lemma 8. For any x, y £ , x <#, 7 y iff x C p . 7 y. 

Proof. In the following, write x as x = (01, v\) ■ ■ ■ (cifc, Wfc). Suppose x<#, 7 y, i-e. 
y —>#, 7 x. We show the statement by induction on the number of rewrite steps. 
For the induction step, let y — >#-y z such that z — >#. 7 x. By the induction 
hypothesis, x C p , 7 z, i.e., z can be factored as z = Zi(ax,w\) ■ ■ ■ Zk(a,k,Wk) such 
that Zi € £*. and < a ,. for all 1 < i < k. We do a case distinction on 



which rewriting rule is applied. If y — z via (34) then y is obtained from 
z by replacing some Zj — Zj t i ■ ■ ■ Zj^. with z^- = Zj t \ ■ ■ ■ 2^-1(6, w)zj^ ■ ■ ■ Zj_i j 
for some 1 < i < £j and (b,w) such that in particular b < aj. Thus, y factors 
as y = zi(ai, U>i) • • • z'j(aj,Wj) ■ ■ ■ Zk(ak, Wfc), which by definition gives x C p7 ?/. 
Otherwise, if y — >-#. 7 2 via (35), y is obtained by replacing some (a, u>) occurring 
in z with (a,w') for some wr > a By transitivity of x l=p, 7 y follows 
immediately. 

Conversely, assume x E Pl7 y and thus y factors y — yi{a\,w-i) ■ ■ ■ yk(a<k, Wk)- 
Since for every (a,u>) occurring in some y^ we have a < a^, by repeatedly 
applying (f34|) we have y ->#, 7 z = (ffli, ioi) • • ■ (ak,Wk)- Moreover, <„ t ^ for 



all 1 < i < fc, and thus by repeated application of (35) we get z — >g x, as 
required. □ 

D.3 Generalized Priority Embedding is a WQO 

Our main result of interest is that generalized priority embeddings establish a 
wqo. 
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Theorem 25. Let Sd, 7 be a generalized priority alphabet. Then (SJ , E p . 7 ) is 
a wqo. 

Proof. We proceed by induction on d. For the induction step, any x G can 
be uniquely factored as 

x = ajo(d,Ui) • ■■x m -\{d 1 v m )x m 

such that G ^d-i 7 f° r all < i < to. By the induction hypothesis, 
(J^d-i 7' —p--y) * s a w q°- We define an order reflection r: T,* d — > 0d )7 , where 

e d , 7 d = f s^_ li7 + e:_ 1!7 x (({4 x r d ) x s d _ li7 )* x ({4 x r d ) x e*_ 1>7 . 

Since 0d, 7 is obtained from the well-quasi orders (E d -i 7' — p -7)' (-^d, <d) and 
equality on {e?} by disjoint sum, Cartesian product and substring embedding, 
this allows us to conclude that (S^ , C p , 7 ) is a wqo. To this end, for x and m 
as above such that to > 0, define 

r(x) = (x , (((d,vi),xi) ■ ■ ■ ((d,v m -i),x m -i)), (d,v m ),x m ), (40) 

and r(x) = xq if to = 0. We need to verify that whenever r(x) < r(y) wrt. 
the ordering < associated with Qd,-y then x C p . 7 y. This is obvious when both 



r(x) = x and r(y) — y. Otherwise, let r(x) be as in (40) and write 



r(y) = ivo, ((( d , w i),yi) ■ ■ ■ ((d,w n -i),y n -i)), (d,w n ),y n ). 

Since r(x) < r(y), through the subword ordering there exist indices i\, . . . , i m -\ 
such that for 

u = (yo, (((d.WiJjj/iJ • • • ({d,w im _ 1 ),y. lm _ 1 )), (d,w n ),y n ), 
we have r(x) < u. By assumption, xq C Pi7 t/q, x m C p , 7 y n , and furthermore 



t>j <rf Wi j and a;j E P , 7 for all 1 < j < m. By repeatedly applying (37) and 



( 39 1 , we get 

(d,Vj)xj C P:7 (d,w i3 _ 1+ i)y ij ._ 1+ i ■ • • C P:7 (d,Wi.)yi. 

for all 1 < j < m, where i = f and i m == n. Consequently, x C p , 7 y as 
required. □ 

D.4 Reflecting Bounded-Depth Trees 

Thanks to generalized priority embeddings, we can extend the reflection of |Sec- 



tion 4 to handle trees labeled by elements of some wqo (r, <). This is done 
simply by employing a uniform generalized priority alphabet Sd,r, i-e. by set- 
ting 7(1) = (r, <) for all i, and by defining the reflection s<j:T<j(r) —> T, d .r 
through 

s d (f(h---t n )) d = t l {dJ ] ifn = °' (41) 

[s d -i(h)(d, /) • • • s d -i(t n )(d, /) otherwise. 

The corresponding notion of strong tree embeddings uses a single step 

C[f(h ■ ■ • tj-iti+i • • • t n )] C[g{h ■ ■ ■ U-xtiU+t ■ ■ ■ t n )] (42) 

whenever / < g in V. We leave as an exercise to the reader to check that s d is 
an order reflection from (Td(T), C T ) to (E^ 7 , C p ) as in Prop. |3] 
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D.5 Relationship to Tree Minors 

Gupta gives in ( |Gupta[ |1992 ) a constructive proof that finite rooted trees with 
an ordering on the children of every internal vertex (called planar planted trees) 
are well-quasi-ordered under minors. Recall that t\ is a minor of t 2 if ti can 
be obtained from t% by a series of edge contractions, e.g. in the figure below 



repeated from Figure 2 the left tree is a minor of the right one. 
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Gupta provides in (Gupta 19921 an effective linearisation which essentially as- 



sociates with every tree t a word r(t) over the uniform generalized prioritised 
alphabet £<i l7 , where d is the number of vertices of t and 7 = (T, =) with 

T = {Ui,1>2,«3}- 

Given x = r(*i) = (a 1 ,wi)(a 2 ,w 2 ) . . . (a k ,w k ) € X^ 7 and y = r(t 2 ), he 
shows that t\ is a minor of t 2 if x embeds in y (written x Q g y) as follows: y 
can be factored as y = y\yi ■ ■ ■ J/& such that yi S E* and (a^, Wi) is a substring 
of yi for all 1 < i < k. This ordering is closely related to ours. In fact, it is 
easily seen that C p , 7 can be viewed as a sub-structure of C g , as a; E Pl7 y implies 



x Eg y- Thus, our Thm. 25 yields as a byproduct that C g is a wqo. 



E Maximal Order Types 

The maximal order type of a wqo (X, <) is a measure of its complexity defined 



by de Jongh and Parikh (1977) as the maximal order type of its linearizations: 
a linearization -< of < is a total linear ordering over X that contains < \ > as a 
subrclation. Any such linearization of a wqo is well-founded and thus isomorphic 
to an ordinal, called its order type, and the maximal order type is therefore the 
maximal such ordinal. 

De Jongh and Parikh provide formulae to compute the maximal order types 
of wqos based on their algebraic decompositions as disjoint sums, cartesian 
products, and Kleene star — using respectively the sum ordering, the product 
ordering, and the subword embedding ordering — : for wqos A and B of maximal 
order types in £0, 

o(A + B) =o{A)®o{B) 
o(A x B) = o(A) (g) o(B) 



o{A*) 



^ if A is finite, 

uf { ' otherwise. 



Here, the © and ® operations are the natural sum and natural product on 
ordinals, defined for ordinals in CNF in e by 

m n m+n m n m n 

$>ft©]>>^ d = f J>^, ^^^^^ d = f 00 W ^ ; (43) 
2—1 J — 1 fc— 1 i—1 j=l i—1 j — 1 

where 71 > ■ ■ • > -f m+n is a reordering oi f3 l7 . . . , f3 m , f3[, . . . , f3' n . 

An immediate consequence of the definition of a maximal order type is that , 
if (-4, <a) reflects (B, < B ), then o(A) > o(B). 
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